CCNA Malware, Social Engineering and Network Attacks Questions

75 of 216 questions · Page 2/3 · Malware, Social Engineering and Network Attacks · Answers revealed

76
MCQeasy

A security analyst receives an alert indicating that a workstation is sending outbound connections to a known malicious IP address. The analyst suspects a Trojan. Which tool is BEST for performing dynamic analysis of the suspicious binary?

A.VirusTotal
B.Sandbox
C.String analysis
D.PEiD
AnswerB

A sandbox runs the binary in a controlled environment to monitor its actions.

Why this answer

Sandbox environments safely execute malware to observe behavior, making them ideal for dynamic analysis.

77
Multi-Selectmedium

Which TWO of the following are examples of application-layer DDoS attacks? (Choose two.)

Select 2 answers
A.UDP flood
B.Slowloris
C.HTTP flood
D.SYN flood
E.Smurf attack
AnswersB, C

Slowloris is an application-layer attack that consumes server resources by keeping many connections open.

Why this answer

Slowloris and HTTP flood are application-layer attacks. SYN flood is a protocol attack, UDP flood is volumetric, and Smurf is also a protocol attack.

78
MCQhard

A forensic analyst examines a system infected with malware that displays ransomware notes and encrypts files. The analyst uses a sandbox to observe behavior. During analysis, the malware contacts a C2 server and downloads additional payloads. Which type of malware analysis is being performed?

A.Dynamic analysis
B.Static analysis
C.Network analysis
D.Code analysis
AnswerA

The sandbox execution and behavioral observation is dynamic analysis.

Why this answer

Dynamic analysis involves executing malware in a controlled environment to observe behavior.

79
MCQmedium

An organization experiences a DDoS attack where the attacker sends a flood of UDP packets to a server, causing it to become unresponsive. The packets appear to come from many different source IP addresses and are directed to random high-numbered ports. Which type of DDoS attack is this?

A.ICMP flood
B.UDP flood
C.SYN flood
D.Smurf attack
AnswerB

UDP flood sends a high volume of UDP datagrams to random ports, exhausting server resources.

Why this answer

A UDP flood is a volumetric attack that sends many UDP packets to random ports, overwhelming the target's ability to process them.

80
MCQmedium

A security team wants to mitigate a DNS amplification DDoS attack. Which of the following techniques would be MOST effective in preventing the attack from leveraging open DNS resolvers?

A.Deploy a web application firewall
B.Disable recursion on DNS servers for external queries
C.Use anycast routing for DNS servers
D.Implement rate limiting on DNS responses
AnswerB

Correct. Disabling recursion for external clients prevents the server from being used in amplification attacks.

Why this answer

DNS amplification relies on open resolvers that respond to queries from any source. Restricting recursive queries to trusted clients eliminates the amplification vector.

81
MCQeasy

A user reports that their system has become very slow and numerous pop-up ads appear even when browsing is not active. Which type of malware is MOST likely installed?

A.Adware
B.Ransomware
C.Keylogger
D.Spyware
AnswerA

Adware is known for displaying pop-up advertisements and degrading performance.

Why this answer

Adware displays unwanted advertisements and can cause system slowdowns.

82
MCQhard

A penetration tester uses a tool to perform a MAC flooding attack. What is the intended result of this attack?

A.Read all network traffic by turning the switch into a hub
B.Modify the MAC address of the attacker's NIC
C.Cause a denial of service on the switch
D.Poison the ARP cache of the target hosts
AnswerA

MAC flooding makes the switch act like a hub, forwarding all frames to all ports.

Why this answer

MAC flooding overwhelms a switch's CAM table, causing it to enter fail-open mode and broadcast all frames, allowing the attacker to sniff traffic.

83
MCQmedium

A penetration tester successfully predicts the TCP sequence numbers of a target and sends crafted packets to impersonate a trusted host. Which type of attack is this?

A.ARP poisoning
B.TCP sequence prediction attack
C.TCP session hijacking
D.DNS spoofing
AnswerC

Session hijacking uses sequence prediction to take over a TCP session.

Why this answer

TCP session hijacking involves predicting sequence numbers to inject packets and take over a session. It allows the attacker to impersonate one of the communicating parties.

84
Multi-Selecthard

Which THREE of the following are effective techniques to prevent ARP poisoning attacks? (Choose three.)

Select 3 answers
A.Enabling DHCP snooping
B.Configuring port security on switches
C.Using static ARP entries
D.Disabling STP on all ports
E.Implementing Dynamic ARP Inspection (DAI)
AnswersB, C, E

Port security limits MAC addresses per port, reducing spoofing.

Why this answer

Static ARP entries, dynamic ARP inspection, and port security help prevent ARP poisoning.

85
MCQmedium

During a social engineering engagement, an attacker calls an employee pretending to be from IT support and asks for their password to perform a system update. Which social engineering technique is being employed?

A.Phishing
B.Pretexting
C.Quid pro quo
D.Vishing
AnswerB

Pretexting is creating a fabricated scenario to trick the target into revealing information.

Why this answer

Pretexting involves fabricating a scenario (pretext) to obtain information, such as pretending to be from IT support. The other choices refer to different techniques.

86
MCQmedium

During a penetration test, a tester uses a tool to perform ARP spoofing to intercept traffic between two hosts on the same subnet. Which tool is most commonly associated with this technique?

A.Wireshark
B.Ettercap
C.Metasploit
D.Nmap
AnswerB

Ettercap specializes in ARP spoofing and MITM attacks.

Why this answer

Ettercap is a well-known tool for ARP poisoning (spoofing) to perform man-in-the-middle attacks. It is specifically designed for this purpose.

87
Multi-Selectmedium

Which TWO of the following are valid techniques for session hijacking? (Select 2)

Select 2 answers
A.DNS spoofing
B.MAC flooding
C.TCP sequence prediction
D.Cookie theft
E.ARP poisoning
AnswersC, D

Predicting sequence numbers allows an attacker to inject packets into a TCP session.

Why this answer

Session hijacking can involve predicting TCP sequence numbers or stealing session cookies. ARP poisoning is a method to enable MITM but not direct session hijacking; DNS spoofing redirects traffic but not session hijacking per se.

88
MCQmedium

A penetration tester is performing a session hijacking attack. After capturing packets, the tester successfully predicts the TCP sequence numbers and injects packets to take over the session. Which type of attack is this?

A.MAC flooding
B.Cookie theft
C.TCP session hijacking
D.ARP poisoning
AnswerC

Predicting TCP sequence numbers allows an attacker to hijack a TCP session.

Why this answer

TCP sequence prediction is a classic method for session hijacking, where the attacker guesses the sequence numbers to spoof the server's IP and inject packets. ARP poisoning and MAC flooding are local network attacks, and cookie theft is application-level.

89
MCQhard

An attacker intercepts a TCP session between a client and a server. By analyzing sequence numbers, the attacker successfully predicts the next sequence number and injects malicious packets. Which attack is being performed?

A.DNS spoofing
B.ARP poisoning
C.Man-in-the-middle
D.Session hijacking
AnswerD

Session hijacking involves taking over a TCP session by predicting sequence numbers.

Why this answer

TCP session hijacking relies on predicting or obtaining valid sequence numbers to impersonate one party in a TCP connection.

90
MCQmedium

A penetration tester needs to perform ARP poisoning to intercept traffic between two hosts on the same subnet. Which tool would be the most appropriate choice for this task?

A.tcpdump
B.Ettercap
C.Nmap
D.Wireshark
AnswerB

Correct. Ettercap is designed for ARP poisoning and man-in-the-middle attacks.

Why this answer

Ettercap is a comprehensive suite for man-in-the-middle attacks on LAN, including ARP poisoning. It provides packet sniffing, interception, and injection capabilities.

91
MCQhard

During a ransomware incident response, a forensic analyst recovers a suspicious file that appears to be a PE executable. The analyst wants to quickly check if the file is known malware without executing it. Which of the following is the BEST first step?

A.Disassemble the file using IDA Pro
B.Submit the file hash to VirusTotal
C.Perform static analysis using PEiD to identify compiler and packer
D.Run the file in a sandbox and observe its behavior
AnswerB

Correct. VirusTotal provides a quick check against multiple AV engines and threat intelligence feeds.

Why this answer

VirusTotal aggregates many antivirus engines and provides a quick reputation check. Submitting the file hash (or the file itself) is non-invasive and immediately reveals known malicious indicators.

92
MCQmedium

A security analyst notices an unusual spike in outbound traffic on UDP port 53 from a single internal host. The host is not a DNS server. Which type of malware is MOST likely responsible?

A.A worm that spreads via email attachments
B.A polymorphic virus
C.A DNS tunneling tool used for data exfiltration
D.A keylogger that sends captured keystrokes via HTTP
AnswerC

DNS tunneling encodes data in DNS queries/responses, causing increased UDP 53 traffic.

Why this answer

A DNS tunneling tool uses DNS queries to exfiltrate data, which would cause an increase in UDP port 53 traffic. The other options are less likely to generate such traffic.

93
MCQeasy

A user reports that their computer is infected with ransomware. Which of the following is the BEST immediate action for the security team to take?

A.Disconnect the computer from the network
B.Pay the ransom to regain access
C.Run a full antivirus scan
D.Restore the system from a recent backup
AnswerA

Isolation prevents further damage.

Why this answer

The first step is to isolate the infected machine from the network to prevent the ransomware from spreading to other systems.

94
MCQhard

An attacker uses the Social Engineering Toolkit (SET) to craft a phishing email that appears to come from the company's CEO, requesting the recipient to urgently wire funds to a new vendor. This attack is BEST described as which type of social engineering?

A.Pretexting
B.Spear phishing
C.Whaling
D.Quid pro quo
AnswerC

Whaling is a phishing attack directed at senior executives or high-value targets. The impersonation of the CEO fits.

Why this answer

Whaling targets senior executives or high-profile individuals. The email impersonates the CEO, a typical whaling scenario. Spear phishing is targeted but not necessarily at executives.

95
MCQmedium

A user receives a phone call from someone claiming to be from IT support, asking for their password to perform a system update. This is an example of which social engineering technique?

A.Baiting
B.Pretexting
C.Phishing
D.Vishing
AnswerB

Pretexting involves impersonation to gain trust.

Why this answer

Pretexting involves creating a fabricated scenario to obtain information. The caller pretends to be IT support.

96
MCQmedium

An analyst is analyzing a suspicious file using VirusTotal and observes that only 3 out of 60 antivirus engines detect it as malicious. The file has been submitted before but with no detections. What should the analyst conclude?

A.The file is a clean file with a rare hash
B.The file is safe because most engines don't detect it
C.The file is likely a false positive
D.The file is likely malicious and requires further analysis
AnswerD

Low detection rate suggests it may be new malware; further analysis is warranted.

Why this answer

Low detection rate suggests the file may be a zero-day or heavily obfuscated. The fact that previous submission had no detections and now some detect indicates it might be a new variant or the file is not widely known. The best action is to treat as potentially malicious and perform dynamic analysis.

97
MCQmedium

A security analyst notices repeated TCP SYN packets sent to a server without corresponding SYN-ACK replies. The source IP addresses are spoofed and appear to be random. Which type of attack is MOST likely occurring?

A.SYN flood
B.UDP flood
C.ICMP flood
D.Ping of Death
AnswerA

The description matches a SYN flood: spoofed SYN packets without completing the handshake.

Why this answer

SYN flood attacks exploit the TCP three-way handshake by sending many SYN requests with spoofed IPs, exhausting the server's connection queue.

98
Multi-Selecthard

Which THREE of the following are examples of application-layer DDoS attacks? (Select 3)

Select 3 answers
A.Slowloris
B.HTTP flood
C.SYN flood
D.DNS amplification
E.UDP flood
AnswersA, B, D

Slowloris holds connections open to exhaust server resources.

Why this answer

Application-layer attacks target the OSI layer 7. Slowloris keeps many connections open, HTTP flood sends many requests, and DNS amplification (though often considered volumetric) can be application-layer when using DNS queries.

99
MCQeasy

Which type of social engineering attack involves a malicious actor impersonating a legitimate organization in a voicemail message to trick the victim into revealing sensitive information?

A.SMiShing
B.Pharming
C.Baiting
D.Vishing
AnswerD

Vishing uses voice communication to deceive.

Why this answer

Vishing (voice phishing) uses phone calls or voicemail to deceive victims. SMiShing uses SMS, pharming redirects websites, and baiting offers something enticing.

100
MCQeasy

Which malware analysis approach involves running the suspicious file in a controlled environment to observe its behavior?

A.Dynamic analysis
B.Code review
C.Signature detection
D.Static analysis
AnswerA

Dynamic analysis involves execution to observe runtime behavior.

Why this answer

Dynamic analysis is the correct approach because it involves executing the suspicious file in a controlled, isolated environment (such as a sandbox or virtual machine) to monitor its runtime behavior, including file system changes, registry modifications, network connections, and process injections. This allows analysts to observe actual malicious actions without risking the production environment, making it essential for understanding zero-day threats and obfuscated malware that static analysis might miss.

Exam trap

EC-Council often tests the misconception that static analysis is sufficient for all malware types, but the trap here is that candidates confuse 'static analysis' (which examines code without execution) with 'dynamic analysis' (which requires execution), leading them to pick static analysis when the question explicitly asks for observing behavior in a controlled environment.

How to eliminate wrong answers

Option B is wrong because code review is a manual or automated examination of the malware's source code or disassembled instructions without execution, which falls under static analysis and cannot reveal runtime behaviors like API calls or network traffic. Option C is wrong because signature detection relies on pre-defined patterns (e.g., hash values or byte sequences) to identify known malware, but it fails against polymorphic or novel malware that lacks matching signatures. Option D is wrong because static analysis examines the file's structure, strings, and code without execution, missing dynamic behaviors such as self-modification, anti-debugging tricks, or delayed payload activation.

101
Multi-Selecthard

Which THREE of the following are common methods used to mitigate DDoS attacks? (Select 3)

Select 3 answers
A.MAC flooding
B.Rate limiting
C.Scrubbing centers
D.ARP poisoning
E.Anycast network distribution
AnswersB, C, E

Rate limiting restricts the number of requests accepted from a source.

Why this answer

Rate limiting reduces traffic volume, scrubbing centers filter malicious traffic, and anycast distributes traffic across multiple nodes to absorb attacks. Black hole routing is also used but is a more drastic measure.

102
MCQeasy

A security analyst receives an email that appears to be from the CEO, urgently requesting a wire transfer. The email address is slightly misspelled (ceo@cornpany.com instead of ceo@company.com). Which type of social engineering attack is this?

A.Vishing
B.Whaling
C.Spear phishing
D.Phishing
AnswerC

Targeted at a specific individual with personalized content.

Why this answer

Spear phishing is a targeted phishing attack aimed at a specific individual or organization, often using personalized information to appear legitimate. This email targets the analyst specifically and uses a spoofed domain, making it spear phishing, not generic phishing or whaling (which targets high-level executives, though the CEO is impersonated, the recipient is the analyst).

103
MCQhard

During a penetration test, you run the command: 'macof -i eth0 -s 192.168.1.1 -d 192.168.2.1 -e 00:11:22:33:44:55'. What is the intended effect of this command?

A.Execute a SYN flood against the target
B.Perform MAC flooding to cause switch to fail open
C.Perform ARP poisoning
D.Spoof DNS responses
AnswerB

macof floods with random MACs to exhaust CAM table, enabling sniffing.

Why this answer

macof is a tool used for MAC flooding, which floods a switch with fake MAC addresses to overflow the CAM table, causing the switch to fail open and operate like a hub, allowing packet sniffing.

104
Multi-Selectmedium

Which TWO of the following are examples of application-layer DDoS attacks? (Select 2)

Select 2 answers
A.HTTP flood
B.ICMP flood
C.SYN flood
D.UDP flood
E.Slowloris
AnswersA, E

HTTP flood sends many legitimate-looking HTTP requests.

Why this answer

HTTP flood is an application-layer DDoS attack because it targets the HTTP protocol (Layer 7) by overwhelming a web server with seemingly legitimate GET or POST requests. Unlike network-layer attacks, HTTP flood exploits the server's processing of application-layer requests, often mimicking normal user behavior to bypass basic rate limiting. This forces the server to allocate resources for each request, eventually exhausting connection pools or CPU cycles.

Exam trap

The trap here is that candidates often confuse network-layer attacks (ICMP, SYN, UDP floods) with application-layer attacks, mistakenly thinking any flood of traffic qualifies as application-layer, when in fact application-layer attacks specifically target protocols like HTTP, DNS, or SMTP at Layer 7.

105
MCQeasy

An organization experiences a DDoS attack where a large volume of DNS queries with spoofed source IPs are sent to open DNS resolvers, which then amplify the traffic to the victim. Which type of attack is this?

A.UDP flood
B.Smurf attack
C.SYN flood
D.DNS amplification
AnswerD

Uses open DNS resolvers to amplify traffic to the victim.

Why this answer

This is a DNS amplification attack, a type of volumetric DDoS where small queries generate large responses, amplified by the number of resolvers.

106
MCQmedium

An analyst uses the following command to capture traffic: tcpdump -i eth0 -w capture.pcap host 10.0.0.5 and port 80. After generating traffic from a web server at 10.0.0.5, the analyst examines the pcap with Wireshark. What type of traffic will appear in the capture?

A.All HTTP traffic on the network
B.HTTP traffic to and from 10.0.0.5
C.Only HTTP traffic originating from 10.0.0.5
D.All traffic from 10.0.0.5 on any port
AnswerB

The capture includes both directions (to and from) on port 80 for that host.

Why this answer

The filter 'host 10.0.0.5 and port 80' captures traffic to/from the host on port 80 only. It does not specify direction, so both inbound and outbound HTTP traffic (TCP port 80) from that host is captured.

107
MCQhard

A system administrator notices unusual outbound traffic from a server on port 4444. The server has no legitimate service listening on that port. A malware analyst runs 'strings' on a suspicious binary and finds a reference to 'cmd.exe /c' and an IP address. What type of malware is MOST likely present?

A.Worm
B.Keylogger
C.Backdoor Trojan
D.Ransomware
AnswerC

A backdoor Trojan allows remote access and execution of commands. The combination of a suspicious port and 'cmd.exe /c' indicates a remote shell.

Why this answer

Port 4444 is commonly associated with Metasploit's default reverse shell payload. The presence of 'cmd.exe /c' and an IP address indicates a backdoor that provides remote command execution, which is a Trojan backdoor or RAT.

108
MCQmedium

A network administrator receives an alert that the switch's CAM table is full, causing the switch to flood frames out all ports. Which attack has likely occurred?

A.DNS spoofing
B.ARP poisoning
C.MAC flooding
D.SYN flood
AnswerC

MAC flooding sends many fake MAC addresses to fill the CAM table, causing the switch to flood traffic.

Why this answer

MAC flooding attacks fill the CAM table to force the switch into hub mode for sniffing.

109
MCQmedium

A security analyst observes a gradual increase in network traffic from an internal host to an external IP address on port 443, with the host also connecting to a known command-and-control (C2) domain. Which type of malware is MOST likely responsible?

A.Ransomware
B.Worm
C.Boot sector virus
D.Backdoor Trojan
AnswerD

Backdoor Trojans establish remote access and often communicate with C2 servers.

Why this answer

A backdoor Trojan provides remote access to an attacker, often using encrypted C2 communications. The connections to a C2 domain on port 443 (HTTPS) are indicative of backdoor activity.

110
MCQmedium

A security analyst notices a significant increase in outbound traffic from an internal server to multiple external IPs on port 443. The server is not a web server and should not be initiating such connections. Which type of malware is MOST likely causing this behavior?

A.A boot sector virus
B.A backdoor Trojan
C.A fileless virus
D.A worm
AnswerB

Backdoors provide remote access and often communicate with C2 servers over encrypted channels like HTTPS.

Why this answer

A backdoor Trojan allows an attacker to remotely control the infected system. The outbound connections are likely command-and-control traffic over HTTPS to hide from network monitoring.

111
MCQhard

A security team detects that an internal host is sending ARP replies claiming to have the IP address of the default gateway. Which tool is MOST likely being used to perform this attack?

A.Nmap
B.tcpdump
C.Wireshark
D.Ettercap
AnswerD

Ettercap specializes in ARP poisoning and MITM attacks.

Why this answer

Ettercap is a well-known tool for ARP poisoning attacks. ARP spoofing involves sending fake ARP replies to associate the attacker's MAC with the gateway's IP.

112
MCQmedium

A penetration tester uses a tool to perform ARP poisoning and then launches a man-in-the-middle attack. The tool also allows session hijacking and sniffing. Which of the following tools is being used?

A.Wireshark
B.tcpdump
C.Ettercap
D.Nmap
AnswerC

Ettercap supports ARP poisoning, MITM, and sniffing.

Why this answer

Ettercap is a comprehensive tool for ARP poisoning, MITM attacks, session hijacking, and sniffing.

113
MCQeasy

A system administrator receives a phone call from someone claiming to be from IT support, asking for the administrator's password to 'fix a server issue'. This is an example of which social engineering attack?

A.Vishing
B.Baiting
C.Phishing
D.Pretexting
AnswerD

Pretexting uses a fabricated story to gain information.

Why this answer

Pretexting involves creating a fabricated scenario (pretext) to obtain sensitive information, such as a password. The caller pretends to be IT support to trick the victim.

114
MCQmedium

During a penetration test, a security analyst runs the following command on a Linux system: ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//. What is the PRIMARY purpose of this command?

A.To spoof the DNS responses to redirect the target to a malicious site
B.To sniff all traffic on the network by enabling promiscuous mode on the interface
C.To perform a denial-of-service attack by flooding the network with ARP replies
D.To perform a man-in-the-middle attack between the gateway and the target host
AnswerD

The -M arp:remote option enables MITM via ARP poisoning.

Why this answer

The command uses Ettercap with ARP poisoning (arp:remote) to perform a man-in-the-middle attack between the gateway (192.168.1.1) and a target host (192.168.1.100). This allows interception and modification of traffic.

115
Multi-Selectmedium

Which TWO of the following are characteristics of a polymorphic virus?

Select 2 answers
A.It changes its code signature each time it infects a new file
B.It spreads via email attachments
C.It uses encryption with a variable key
D.It remains dormant until a specific date or time
E.It can infect the Master Boot Record (MBR)
AnswersA, C

Polymorphic viruses mutate their code to avoid detection.

Why this answer

Option A is correct because a polymorphic virus changes its decryption routine and code signature each time it infects a new file, making signature-based detection difficult. This mutation is achieved by using a polymorphic engine that generates varied decryption loops while preserving the malicious payload.

Exam trap

The trap here is that candidates confuse the method of propagation (e.g., email) or activation trigger (e.g., date) with the core definition of polymorphism, which is solely about code mutation to evade signature detection.

116
MCQhard

An analyst captures network traffic and sees a large number of packets with source IP 10.0.0.1, destination IP 192.168.1.1, TCP SYN flag set, with sequence numbers that appear incremental. The destination responds with SYN-ACK but the source never completes the handshake. Which attack is MOST likely occurring?

A.ARP poisoning
B.SYN flood
C.ICMP flood
D.DNS amplification
AnswerB

SYN flood uses incomplete TCP handshakes to exhaust resources.

Why this answer

In a TCP SYN flood, the attacker sends many SYN packets with spoofed IPs (or non-responsive IPs) and never completes the handshake, exhausting server resources.

117
MCQeasy

Which type of malware is characterized by its ability to spread without requiring a host file and can replicate across networks automatically?

A.Virus
B.Trojan
C.Worm
D.Ransomware
AnswerC

A worm is a standalone program that self-replicates and spreads across networks.

Why this answer

A worm is a standalone malware that self-replicates and spreads across networks, unlike viruses that require a host file.

118
Multi-Selectmedium

Which TWO of the following are examples of social engineering attacks? (Select two)

Select 2 answers
A.Pharming
B.Pretexting
C.SYN flood
D.Brute force attack
E.Vishing
AnswersB, E

Pretexting involves creating a fabricated scenario to obtain information.

Why this answer

Pretexting and vishing are social engineering. Brute force and SYN flood are technical attacks. Pharming is a DNS attack.

119
MCQhard

During a penetration test, an analyst uses a tool that sends forged ARP replies to associate the attacker's MAC address with the IP address of the default gateway. This technique allows the attacker to intercept traffic. Which tool is commonly used for this purpose?

A.Ettercap
B.Wireshark
C.Nmap
D.tcpdump
AnswerA

Ettercap performs ARP poisoning and MITM attacks.

Why this answer

Ettercap is a comprehensive suite for man-in-the-middle attacks, including ARP poisoning.

120
MCQmedium

Which of the following is a characteristic of a polymorphic virus?

A.It changes its code pattern every time it infects a new file or system.
B.It spreads through network shares without requiring user interaction.
C.It remains dormant until a specific date or time.
D.It infects the master boot record of a hard drive.
AnswerA

Polymorphic viruses use encryption or other techniques to change their signature while preserving functionality.

Why this answer

Polymorphic viruses mutate their code with each infection to evade signature-based detection, while often keeping the original functionality intact.

121
MCQmedium

A security analyst reviews a sandbox report for a suspicious executable. The report shows that the executable modified the Windows registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to add a new entry pointing to itself. This action is characteristic of which type of malware?

A.Logic bomb
B.Backdoor Trojan
C.Ransomware
D.Adware
AnswerB

Backdoor Trojans commonly use registry run keys for persistence.

Why this answer

A backdoor Trojan often persists by adding itself to startup registry keys to maintain access. The other options are incorrect: logic bombs activate under specific conditions, adware displays ads, and ransomware typically demands payment.

122
MCQmedium

A security analyst runs the command 'tcpdump -i eth0 -n host 10.0.0.5 and port 80' and sees many packets with the SYN flag set but no corresponding ACK. Which attack is likely occurring?

A.SYN flood
B.ICMP flood
C.UDP flood
D.Ping of Death
AnswerA

SYN flood sends many TCP SYN packets without completing the handshake, causing half-open connections.

Why this answer

The TCP three-way handshake involves SYN, SYN-ACK, ACK. Seeing only SYN packets without ACK responses indicates a SYN flood attack, where the attacker sends many SYN packets without completing the handshake to exhaust server resources.

123
Multi-Selectmedium

Which TWO of the following are characteristics of a polymorphic virus? (Select 2)

Select 2 answers
A.It spreads via email attachments only
B.It changes its code signature each time it replicates
C.It requires a host file to attach
D.It self-replicates without user interaction
E.It uses encryption to hide its payload
AnswersB, E

Why this answer

Polymorphic viruses change their code with each infection to evade signature detection, and they use encryption or mutation engines.

124
Multi-Selectmedium

Which TWO of the following are techniques used in session hijacking? (Choose 2)

Select 2 answers
A.Cookie theft
B.MAC flooding
C.ARP poisoning
D.TCP sequence prediction
E.DNS spoofing
AnswersA, D

Stealing session cookies allows an attacker to impersonate a user.

Why this answer

Session hijacking involves stealing or predicting session tokens. TCP sequence prediction allows an attacker to inject packets, and cookie theft reveals session identifiers.

125
MCQhard

An analyst runs the following command: `tcpdump -i eth0 src host 192.168.1.10 and dst port 80 -w http_traffic.pcap`. What is the primary purpose of this command?

A.To perform a man-in-the-middle attack on HTTP traffic
B.To capture all traffic on eth0 and display it in real-time
C.To capture only HTTP traffic from a specific source IP and save it to a file
D.To analyze the payload of HTTP packets in real-time
AnswerC

Correct. src host 192.168.1.10 and dst port 80 filter traffic; -w saves to file.

Why this answer

The command captures packets from source IP 192.168.1.10 with destination port 80 (HTTP) and writes them to a file for later analysis.

126
MCQmedium

An organization wants to test its employees' susceptibility to social engineering by sending fake emails that appear to come from the IT department, requesting password resets. Which tool would be MOST effective for conducting this test?

A.Social Engineering Toolkit (SET)
B.Wireshark
C.Metasploit
D.Nmap
AnswerA

SET is designed for social engineering attacks, including spear phishing and credential harvesting.

Why this answer

The Social Engineering Toolkit (SET) is a dedicated framework for social engineering attacks, including phishing campaigns. PhishMe and KnowBe4 are commercial platforms, but SET is the well-known open-source tool for this purpose.

127
MCQhard

An incident response team discovers a suspicious executable on a compromised workstation. They want to analyze the malware without executing it. Which of the following techniques would be MOST appropriate for this initial analysis?

A.Capturing network traffic with Wireshark during execution
B.Using the 'strings' command to extract embedded text
C.Monitoring process behavior with Process Monitor
D.Running the executable in a sandboxed environment
AnswerB

Strings is a static analysis tool that extracts ASCII and Unicode strings from the binary.

Why this answer

Static analysis involves examining the malware without executing it. Using strings to extract readable characters is a common static analysis technique.

128
MCQhard

An organization experiences a DDoS attack where the attacker sends many incomplete HTTP requests that keep connections open, exhausting the server's connection pool. Which attack technique is being used?

A.UDP flood
B.HTTP flood
C.SYN flood
D.Slowloris
AnswerD

Slowloris sends partial HTTP headers slowly, holding connections open until the server's limit is reached.

Why this answer

Slowloris is an application-layer DDoS attack that sends partial HTTP requests to keep many connections open, eventually exhausting the server's resources.

129
Multi-Selectmedium

Which TWO of the following are characteristics of a SYN flood attack? (Select 2)

Select 2 answers
A.It exploits the TCP three-way handshake
B.It uses UDP amplification
C.It sends a large number of ICMP echo requests
D.It requires the attacker to have a botnet
E.It results in a backlog of incomplete connections
AnswersA, E

SYN flood targets the handshake by sending SYN packets without completing it.

Why this answer

SYN flood attacks send many SYN packets (often with spoofed IPs) and do not complete the handshake, leaving half-open connections that exhaust server resources.

130
MCQeasy

A user receives a phone call from someone claiming to be from IT support, asking for their password to troubleshoot an issue. Which social engineering technique is being used?

A.Phishing
B.Pretexting
C.Baiting
D.Vishing
AnswerB

Correct. The attacker uses a false pretext (IT support) to obtain sensitive information.

Why this answer

Pretexting involves creating a fabricated scenario (pretext) to obtain information. Here the attacker pretends to be IT support to trick the user into revealing their password.

131
MCQmedium

A security analyst observes a sudden surge in incoming UDP traffic to the company's DNS servers from multiple external IP addresses. The packets appear to be DNS queries with spoofed source IPs. Which type of DDoS attack is MOST likely occurring?

A.SYN flood
B.DNS amplification
C.UDP flood
D.ICMP flood
AnswerB

DNS amplification uses open resolvers to send large responses to spoofed victims.

Why this answer

A DNS amplification attack uses spoofed source IPs and small queries that generate large responses, amplifying traffic to the victim.

132
MCQhard

A security analyst captures network traffic and sees a sequence of ARP replies with the same IP address mapping to different MAC addresses within a short period. Which attack is indicated?

A.DNS spoofing
B.ARP poisoning
C.DHCP starvation
D.MAC flooding
AnswerB

ARP poisoning sends fake ARP replies to redirect traffic to attacker's MAC.

Why this answer

ARP poisoning involves sending spoofed ARP replies to associate an IP with multiple MACs, enabling MITM.

133
Multi-Selectmedium

A network administrator notices unusual traffic patterns: the internal DNS server is receiving large DNS queries with the source IP spoofed to appear as the internal DNS server itself. The queries appear to be amplification requests. Which TWO characteristics describe this attack?

Select 2 answers
A.It is a protocol-specific attack targeting TCP SYN packets
B.It relies on open DNS resolvers to amplify traffic
C.It exploits the ARP protocol to redirect traffic
D.It is a form of DDoS attack
E.It requires the attacker to be on the same subnet as the victim
AnswersB, D

Open resolvers respond with large records, amplifying traffic.

Why this answer

DNS amplification uses spoofed source IP and open resolvers to amplify traffic. The large response overwhelms the victim. It is a type of DDoS, not a protocol attack like SYN flood.

134
MCQhard

A penetration tester wants to perform a stealth scan without completing the TCP three-way handshake. The target is a web server on port 80. The tester uses Nmap with the -sS flag. What is the expected behavior if the port is open?

A.The tester receives a SYN/ACK and sends an RST to tear down the connection.
B.The tester receives an RST, indicating the port is closed.
C.The tester receives no response, indicating a filtered port.
D.The tester receives a SYN/ACK and sends an ACK to establish the connection.
AnswerA

This is the standard behavior for a SYN scan: after receiving SYN/ACK, the tester sends RST to avoid completing the handshake.

Why this answer

A SYN scan sends a SYN packet; if the port is open, the target responds with SYN/ACK, and the tester sends an RST to tear down the connection without completing the handshake.

135
MCQmedium

Which DoS attack exploits the HTTP protocol by sending partial HTTP requests to keep connections open, exhausting server resources?

A.SYN flood
B.Slowloris
C.Ping of Death
D.UDP flood
AnswerB

Slowloris keeps HTTP connections open.

Why this answer

Slowloris sends partial HTTP headers to keep many connections open, consuming server threads.

136
MCQmedium

An attacker calls a company's help desk, pretending to be a new employee who forgot his username and password. The attacker provides some employee details gleaned from social media and convinces the help desk to reset the password. Which social engineering technique is being used?

A.Tailgating
B.Quid pro quo
C.Baiting
D.Pretexting
AnswerD

The attacker uses a fabricated pretext to gain trust.

Why this answer

Pretexting involves creating a fabricated scenario (pretext) to obtain information. The attacker invents a story (new employee) to manipulate the help desk.

137
MCQhard

During a penetration test, you capture the following output: 'HTTP/1.1 200 OK ... Set-Cookie: sessionid=abc123; path=/'. You then send a request with a modified cookie value 'sessionid=abc124' and receive a valid session. Which type of vulnerability has been exploited?

A.Cross-site scripting
B.SQL injection
C.Man-in-the-middle attack
D.Session hijacking via cookie prediction
AnswerD

Correct. The attacker predicted a valid session ID and used it to hijack the session.

Why this answer

Session hijacking via cookie theft/prediction. The attacker guessed or brute-forced a valid session ID (abc124) after seeing the pattern (abc123).

138
MCQmedium

Which of the following is the BEST defense against a TCP SYN flood attack?

A.Ingress filtering
B.Intrusion detection system
C.Rate limiting
D.SYN cookies
AnswerD

SYN cookies enable the server to handle half-open connections without resource exhaustion.

Why this answer

SYN cookies allow the server to avoid allocating resources until the handshake completes, mitigating SYN flood.

139
MCQeasy

A security analyst discovers a file named invoice.exe in an email attachment. Static analysis with PEiD indicates the file is packed with UPX. What is the BEST next step in analyzing this malware?

A.Execute the packed file on a production server
B.Unpack the file with UPX and then perform static analysis
C.Submit the packed file directly to VirusTotal
D.Delete the file immediately
AnswerB

Unpacking reveals the original code for static analysis.

Why this answer

UPX packers require unpacking to reveal the original code. Dynamic analysis in a sandbox can observe behavior after unpacking.

140
MCQmedium

A security analyst runs 'strings malware.exe' and finds several URLs and IP addresses. The analyst then uploads the file to VirusTotal and gets a detection ratio of 5/70. What type of analysis has been performed?

A.Static analysis
B.Memory analysis
C.Reverse engineering
D.Dynamic analysis
AnswerA

Static analysis examines the code without execution; strings and VirusTotal are static techniques.

Why this answer

Using strings and VirusTotal are static analysis methods—examining the binary without execution.

141
Multi-Selecthard

Which THREE of the following are effective DDoS mitigation techniques?

Select 3 answers
A.IP blacklisting
B.Increasing server resources
C.Scrubbing centers
D.Rate limiting
E.Anycast routing
AnswersC, D, E

Specialized centers that clean traffic by removing malicious packets.

Why this answer

Rate limiting restricts traffic volume, scrubbing centers filter malicious traffic, and anycast distributes traffic across multiple servers to absorb attacks. IP blacklisting alone is insufficient for large-scale DDoS.

142
MCQmedium

Which tool would a penetration tester MOST likely use to perform ARP poisoning and conduct a man-in-the-middle attack on a local network?

A.Wireshark
B.Nmap
C.tcpdump
D.Ettercap
AnswerD

Correct. Ettercap is specifically designed for MITM attacks using ARP poisoning.

Why this answer

Ettercap is a comprehensive suite for man-in-the-middle attacks, including ARP poisoning, DNS spoofing, and packet sniffing.

143
MCQeasy

A security administrator notices that the network switch is broadcasting traffic to all ports as if it were a hub. The switch logs show a sudden flood of packets with random MAC addresses. Which attack is MOST likely occurring?

A.SYN flood
B.MAC flooding
C.ARP poisoning
D.DNS amplification
AnswerB

MAC flooding overwhelms the switch's CAM table, causing it to operate in hub mode.

Why this answer

MAC flooding attacks send many frames with different source MAC addresses, overflowing the switch's CAM table. The switch then fails to learn MAC addresses and broadcasts frames to all ports.

144
MCQhard

A security analyst is analyzing a suspicious file and runs the command 'strings malware.exe | grep -i http'. The output shows several URLs ending with '.exe'. What does this indicate?

A.The malware may download additional payloads from remote servers
B.The malware has a keylogger component
C.The malware is a boot sector virus
D.The malware is a worm that spreads via email
AnswerA

HTTP URLs with .exe suggest remote file retrieval.

Why this answer

Strings extracts readable text; finding URLs that point to executable files suggests the malware may download additional payloads from those URLs.

145
MCQhard

A penetration tester uses a tool to spoof ARP replies, redirecting traffic through the tester's machine. The tester then captures credentials from the redirected traffic. Which tool is BEST suited for this task?

A.Ettercap
B.Wireshark
C.Nmap
D.tcpdump
AnswerA

Ettercap supports ARP poisoning, traffic redirection, and sniffing.

Why this answer

Ettercap is a comprehensive suite for MITM attacks, including ARP poisoning and sniffing.

146
MCQmedium

A malware analyst wants to examine a suspicious executable without executing it. The goal is to extract strings, view the PE header, and check for known signatures. Which approach is the analyst using?

A.Static analysis
B.Dynamic analysis
C.Heuristic analysis
D.Reverse engineering
AnswerA

Static analysis examines the file without running it, using tools like strings, PEiD, and VirusTotal.

Why this answer

Static analysis involves examining the file without executing it. Techniques include string extraction, PE header analysis, and signature-based checks (e.g., VirusTotal).

147
MCQhard

A security analyst detects a file named 'invoice.pdf.exe' in an email attachment. When the file is submitted to VirusTotal, multiple engines detect it as a Trojan. The analyst wants to perform dynamic analysis to observe its behavior. Which approach is BEST?

A.Disassemble the file using IDA Pro to understand its code
B.Run 'strings' on the file and analyze the output
C.Execute the file in a sandboxed environment and monitor system calls
D.Submit the file again to VirusTotal for a second opinion
AnswerC

Dynamic analysis involves executing the malware and observing its behavior in a sandbox.

Why this answer

Dynamic analysis involves executing the malware in a controlled environment (sandbox) and monitoring its actions. Static analysis (strings, PEiD) examines the binary without execution. Submitting to VirusTotal is static, and disassembly is also static.

148
MCQmedium

A security analyst notices a high volume of ICMP Echo Reply packets on the network. The source IPs are varied, but the destination IP is the same. Which type of attack is MOST likely occurring?

A.UDP flood
B.Ping of Death
C.Smurf attack
D.ICMP flood
AnswerC

Correct. The large number of ICMP Echo Replies from multiple sources to a single target is characteristic of a Smurf attack.

Why this answer

A Smurf attack sends ICMP Echo Request packets to a network broadcast address with a spoofed source IP (the target). All hosts on the network reply to the target, flooding it with ICMP Echo Replies.

149
MCQmedium

A security team observes that a switch's MAC address table is full, and the switch has started flooding unicast traffic to all ports. Which attack has MOST likely been performed?

A.MAC flooding
B.ARP poisoning
C.MAC spoofing
D.DHCP starvation
AnswerA

MAC flooding uses many fake MAC addresses to overflow the CAM table, forcing the switch to flood traffic.

Why this answer

MAC flooding attacks fill the switch's CAM table, causing it to fail open and flood frames, enabling sniffing. MAC spoofing is about impersonating, ARP poisoning manipulates ARP caches, and DHCP starvation exhausts IP addresses.

150
MCQmedium

Which of the following is a form of social engineering where an attacker physically follows an authorized person into a restricted area without proper authentication?

A.Pretexting
B.Baiting
C.Tailgating
D.Quid pro quo
AnswerC

Tailgating is physically following someone into a restricted area.

Why this answer

Tailgating (also known as piggybacking) is a physical social engineering attack where an unauthorized person follows an authorized individual into a restricted area, bypassing authentication mechanisms such as badge readers, PIN pads, or biometric scanners. The attacker exploits the natural courtesy of the authorized person holding the door open, thereby gaining physical access without any credential validation.

Exam trap

EC-Council often tests tailgating by contrasting it with pretexting or baiting, so the trap is confusing physical access attacks (tailgating) with psychological manipulation attacks (pretexting, baiting, quid pro quo) that do not require physical proximity.

How to eliminate wrong answers

Option A is wrong because pretexting involves fabricating a scenario or identity (e.g., impersonating IT support) to trick a target into divulging information, not physically following someone into a restricted area. Option B is wrong because baiting relies on offering something enticing (e.g., a malware-infected USB drive left in a parking lot) to lure a victim into performing an action, not physical proximity or door access. Option D is wrong because quid pro quo involves an attacker offering a service or benefit (e.g., 'free tech support') in exchange for sensitive information or access, not physically trailing an authorized person.

← PreviousPage 2 of 3 · 216 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Malware, Social Engineering and Network Attacks questions.